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Abstract. We give a deterministic algorithm that very quickly proves the pri- 
mality or compositeness of the integers Af in a certain sequence, using an ellip- 
tic curve E/Q with complex multiplication by the ring of integers of 7). 
The algorithm uses 0(log Af) arithmetic operations in the ring X/NZ, implying 
a bit complexity that is quasi-quadratic in log N. Notably, neither of the clas- 
sical "N — 1" or "N + 1" primality tests apply to the integers in our sequence. 
We discuss how this algorithm may be applied, in combination with sieving 
techniques, to efficiently search for very large primes. This has allowed us to 
prove the primality of several integers with more than 100,000 decimal digits. 
We believe that these are the largest proven primes for which no nontrivial 
partial factorization of iV — 1 or Af -|- 1 is known. 



1. Introduction 

With the celebrated result of Agarwal, Kayal, and Saxena [I], one can now un- 
equivocally determine the primality or compositeness of any integer in deterministic 
polynomial time. With the improvements of Lenstra and Pomerance ^T§ ,, the AKS 
algorithm runs in 0{n^) time, where n is the size of the integer to be tested (in 
bits). However, it has long been known that for certain special sequences of integers, 
one can do much better. The two most famous examples are the Fermat numbers 
Ffc = 2^ +1, to which one may apply Pepin's criterion [24], and the Mersenne 
numbers Mp = 2^ — 1, which are subject to the Lucas-Lehmer test [1^. In both 
cases, the corresponding algorithms are deterministic and run in O(n^) time. 

In fact, every prime admits a proof of its primality that can be verified by a 
deterministic algorithm in O(n^) time. Pomerance shows in |25[ that for every 
prime p > 31 there exists an elliptic curve E/¥p with an Fp-rational point P of 
order 2*" > (p^^^ + 1)^, which allows one to establish the primality of p using just r 
elliptic curve group operations. Elliptic curves play a key role in Pomerance's proof; 
the best analogous result using classical primality certificates yields an 0{n^) time 
bound 27 , cf. 6, Thm. 4.1.9]. 

The difficulty in applying Pomerance's result lies in finding the pair {E,P), a 
task for which no efficient method is currently known. Rather than searching for 
suitable pairs {E, P), we instead fix a finite set of curves Ea/Q, each equipped with 
a known rational point Pa of infinite order. To each positive integer k we associate 
one of the curves Ea and define an integer Jk for which we give a necessary and 
sufficient condition for primality: Jk is prime if and only if the reduction of Pa 
in Ea{¥p) has order 2*^+^ for every prime p dividing Jk- Of course p = Jk when 
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Computations for k up 
to 10^ will appear in 
the final version. 



Jk is prime, but this condition can easily be checked without knowing the prime 
factorization of Jk- This yields a deterministic algorithm that runs in 0{n^) time 
(see Algorithm 15. II) . 

Our results extend the methods of Gross .13. ■ Denomme and Savin [7 , and 
Tsumura [33] , all of which fit within a general framework laid out by Chudnovsky 
and Chudnovsky in [5] for determining the primality of integers in special sequences 
using elliptic curves with complex multiplication (CM). The elliptic curves that we 
use lie in the family of quadratic twists defined by the equations 

(1) Ea-.y^^x^- 35a^x - 98a^ 

for square- free integers a such that Ea{Q) has positive rank. Each curve has good 
reduction outside of 2, 7, and the prime divisors of a, and has CM by Z[q;], where 

" = ^— 

For each curve Ea, we fix a point Pa E Ea{Q) of infinite order with Pa ^ 2Ea{Q)- 
For each positive integer k, let 

jk = l + 2a'' € Z[a], Jk = Jkfk = 1 + 2(a'= + a"") + 2'=+^ e N. 

The integer sequence Jk satisfies the linear recurrence relation 

Jk+4 — 4:Jk+3 — TJk+2 + SJ/c+i — AJk, 

with initial values Ji J2 = 11, J3 = 23, and J4 ~ 67. This relation implies 
(by Lemma [4. 4p that Jk is composite for k = Q (mod 8) and for fc = 6 (mod 24). 
To each other value of k we assign a squarcfree integer a, based on the congruence 
class of k (mod 72), as listed in Table [T] Our choice of a is based on two criteria. 
First, it ensures that when Jk is prime, the Frobenius endomorphisni of E mod Jk 
corresponds to complex multiplication by jk and 

E{Z/JkZ) ~ Z/2Z X Z/2'=+iZ. 

Second, it implies that when Jk is prime, the reduction of the point Pa has order 
2fc+i jj-^ ECZ/JkZ). The second condition is actually stronger than necessary (in 
general, one only needs Pa to have order greater than 2^^'/^+^), but it simplifies 
matters. 

We prove in Theorem 14.11 that the integer Jk is prime if and only if the point Pa 
has order 2*^+^ on "Ea mod Jk" ■ More precisely, we prove that if one applies the 
standard formulas for the elliptic curve group law to compute scalar multiples 
Qi — 2*Pa using projective coordinates Qi — [xi, yi, Zi] in the ring Z/JkZ, then Jk 
is prime if and only if gcd{Jk, Zk) = 1 and Zk+i = 0. This allows us to determine 
whether Jk is prime or composite using 0{k) operations in the ring Z/ JkZ, yielding 
a bit complexity of 0(/c^ logfcloglogfc) = 0{k^) (see Proposition 15.21 for a more 
precise bound). 

We note that, unlike the Fermat numbers, the Mersenne numbers, and many 
similar numbers of a special form, the integers Jk are not amenable to any of the 
classical "iV — 1" or "TV + 1" type primality tests (or combined tests) that are 
typically used to find very large primes (indeed, the 1000 largest primes currently 
listed in [J all have the shape a5" ± 1 for some small integers a and h). 

In combination with a sieving approach described in SjSl we have used our algo- 
rithm to determine the primality of Jk for all k up to 700, 000. The prime values 
of Jk are listed in Table S] For k > 100, 000, we believe that these primes are all 
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larger than any previous examples of proven primes for which no nontrivial partial 
factorization of either — 1 or + 1 is known. 

As explained in the technique we use does not easily generalize to elliptic 
curves with CM by fields other than Q(i), Q(^/^), Q(v^), and Q{y^). Gener- 
alizations have been suggested to the settings of higher dimensional abelian varieties 
with complex multiplication, algebraic tori, and group schemes by Chudnovsky and 
Chudnovsky ^ , Gross , and Gurevich and Kunyavskii [14] , respectively. In the 
PhD theses of the first and fourth authors, and in a forthcoming paper, we are 
extending the results in this paper to a more general framework. 

Acknowledgments: We thank Daniel J. Bernstein, Frangois Morain, Carl Pomer- 
ance, and Karl Rubin for helpful conversations, and the organizers of ECC 2010, 
the First Abel Conference, and the AWM Anniversary Conference where useful 
discussions took place. 

2. Relation to Prior Work 

In [5] , Chudnovsky and Chudnovsky consider certain sequences of integers Sk = 
Norm^/Q(l + aoai), defined by algebraic integers uq and ai in an imaginary qua- 
dratic field K = Q{y/D). They give sufficient conditions for the primality of 
Sfc, using an elliptic curve E with CM by K. In our setting, D = —7, ao ~ 2, 
ai = (1 -|- ^—7)/2, and Jk — Sk- The key difference here is that we give necessary 
and sufficient criteria for primality that can be efficiently checked by a deterministic 
algorithm. This is achieved by carefully selecting the curves Ea/Q that we use, so 
that in each case we are able to prove that the point Pa G Ea{Q) reduces to a 
point of maximal order 2'^"'"^ on Ea mod Jk, whenever Jk is prime. Without such 
a construction, we know of no way to obtain any non-trivial point on E mod Sk in 
deterministic polynomial time. 

Our work is a direct extension of the techniques developed by Gross [T31 [31] , 
Dcnomme and Savin [7] , and Tsumura |33| , who use elliptic curves with CM by the 
ring of integers of Q{i) or Q(-\/— 3) to test the primality of Mersenne, Fermat, and 
related numbers. However, as noted by Pomerance |26[ §4], the integers considered 
in [7] can be proved prime using classical methods that are more efficient and do 
not involve elliptic curves, and the same applies to [131 1231 IM] • But this is not the 
case for the sequence we consider here. 

3. Background and Notation 

3.1. Elliptic curve primality proving. Primality proving algorithms based on 
elliptic curves have been proposed since the mid-1980s. Bosma [3] and Chudnovsky 
and Chudnovsky [5] considered a setting similar to the one employed here, using 
elliptic curves to prove the primality of numbers of a special form; Bosma proposed 
the use of elliptic curves with complex multiplication by Q(i) or 3), while 

Chudnovsky and Chudnovsky considered a wider range of elliptic curves and other 
algebraic varieties. Goldwasser and Kilian TT! gave the first general purpose elliptic 
curve primality proving algorithm, using randomly generated elliptic curves. Atkin 
and Morain [2l [23] developed an improved version of the Goldwasser-Kilian algo- 
rithm that uses the CM method to construct the elliptic curves used, rather than 
generating them at random. Gordon [12] proposed a general purpose compositeness 
test using supersingular reductions of CM elliptic curves over Q. 
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Throughout this paper, if i? C is an eUiptic curve over Q, we shall write 
points [a;,?/, z] g E(Q) so that x,y,z G Z and gcd{x, y,z) — 1, and we may use 
(x, y) to denote the projective point [x, y, 1]. 

We say that a point P = [x, y, z] € E{Q) is zero mod N when N divides z; 
otherwise P is nonzero mod N. Note that if P is zero mod N then P is zero mod p 
for all primes p dividing N . 

Definition 3.1. Given an elliptic curve E over Q, a point P = [x^y,z\ € E(Q), 
and iV G Z, we say that P is strongly nonzero mod N if gcd(z, A'^) = 1. 

If P is strongly nonzero mod N, then P is nonzero mod p for every prime p\N, and 
if N is prime, then P is strongly nonzero mod N if and only if P is nonzero mod N. 

We rely on the following fundamental result, which can be found in [TT1[TB]. For 
the sake of completeness, we give a short proof here. 

Proposition 3.2. Let E/Q be an elliptic curve, let N be a positive integer prime 
to disc(£:), let P G E{Q), and let m > {N^/^ + l)^. Suppose mP is zero mod N 
and {m/q)P is strongly nonzero mod N for all primes q\m. Then N is prime. 

Proof. If mP is zero mod N then it is zero mod p for every prime p\N , so the order 
of the reduction of P in E{'L/p'L) divides m. If the order m' of P in E{'L/p'L) is 
less than m for some prime p\N , then to' divides m/q for some prime q\m. But 
then {m/q)P is zero mod p, hence not strongly nonzero mod iV, contrary to our 
hypothesis. So P has order to in E{'L/p'L) for every prime p\N . If N is not prime 
then it has a prime divisor p < \/N. We then have 

\E{¥p)\ > TO > + If > + 1)2 = p + 1 + 2VP. 

But the Hasse bound implies |i?(Fp)| < p+l + 2y/p, so N must be prime. □ 

To make practical use of Proposition 13. 2[ one needs to know the prime factor- 
ization of TO. For general elliptic curve primality proving this presents a challenge; 
the algorithms of Goldwasser-Kilian and Atkin-Morain use different approaches to 
ensure that to has an easy factorization, but both must then recursively construct 
primality proofs for the primes q dividing to. In our restricted setting we effectively 
fix the prime factorization of to = 2^^+^ ahead of time. 

3.2. Complex multiplication and Frobenius endomorphism. For any num- 
ber field F, let Op denote its ring of integers. If E is an elliptic curve over a 
field K, and ftfc is the space of holomorphic differentials on E over K, then ftx is 
a one-dimensional if-vector space, and there is a canonical ring homomorphism 

(2) EndK{E) ~^EndK{^) = K. 

Suppose now that E is an elliptic curve over an imaginary quadratic field and 
that E has complex multiplication (CM) by Ok, meaning that EndK{E) ~ Or. 
Then the image of the map in ^ is Ok- Let V' ■ Ok ~^ End/s-(£^) denote the 
inverse map. Suppose that p is a prime ideal of K at which E has good reduction 
and let E denote the reduction of E mod p. Then the composition 

Oj, ^ EndK{E) ^ Endo^/piE), 

where the first map is ip and the second is induced by reduction mod p, gives a 
canonical embedding 

(3) Ok ^ End(-B). 
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The Frobenius endomorphism of E is {x,y) i— (x'^^y'^) where q — Normx/Q(p); 
under the embedding in ([3]) , the Frobenius endomorphism is the image of a partic- 
ular generator tt of the (principal) ideal p. By abuse of notation, we say that the 
Frobenius endomorphism is tt. 

3.3. A general setting and some remarks. Suppose (for simplicity) that K is 
an imaginary quadratic field of class number one, Ai, . . . , are prime elements of 
its ring of integers Ok^ and 7 G Ok — {0}. Suppose k — [ki, . . . ,ks) €W and let: 

(4) Afc = 7A^ • • • A^ , TTfc 1 + Afc, Fk= NormK/Q(7rfc). 

Let E be an elliptic curve over Q with complex multiplication by Ok and positive 
rank over K , and fix a point P £ E{K) of infinite order. Our goal is to obtain a 
description of the natural numbers /ci, . . . , fcs such that: 

(i) if TTfe is prime, then the Frobenius endomorphism of E modulo ['Kk ) is tt^ ; 

(ii) if TTfe is prime, then P mod T:k ^ \E(Ok /(T^k)) for i — 1, . . . , s. 

For such ki, . . . ,ks (sufficiently large), Fk is prime if and only if A^P = mod tt^ 
and (Afc/Ai)P is strongly nonzero mod tt^ for all i. 

However, finding a nice description of the k that satisfy condition (ii) is con- 
strained by the following result. 

Proposition 3.3. With notation as above, let Fi := K{E[Xi]) and let Li := 
Fi{X^ {P)). Then P mod tt^ ^ XiE{OK /{T^k)) if and only if (TTk) splits completely 
in Fi/ K hut does not split completely in Li/ K . 

When Li/K is an abelian extension, class field theory tells us that the splitting 
behavior in Li/K of a prime ideal of Ok is determined by congruence conditions. 
But if Li/K is not abelian, then this is not true. In general, we do not know a 
good way to characterize the prime ideals of K that split completely in Fi but not 
in Li] thus we lack a concise description of the "good" k. For any given k, one 
could check whether P ^ XiE{OK / i'^'k)), but the method used in [ZlIIS] and in this 
paper determines a "good" k in advance. 

Requiring Li/K to be an abelian extension is a very strong constraint. In par- 
ticular, if P ^ XiE{K), then it implies that E[Xi] C E{K). However, elliptic curves 
with CM by K have only very limited torsion over K. If E is defined over Q, 
this only happens when Norm^/Q(Ai) = 2, or when j = and Normx/Q(Ai) = 3 
or 4. So if one wants a simple description of congruence classes for the "good" fc, 
one is restricted to K ^ Q(v^) with A, = (1 ± ^/^)/2, 01 K = Q(\/^) with 
X, = ^/^, OT K = Q{i) with X, ^ 1 + i, or Q(%/^) with A^ = or 2. 

In this paper we focus on the case K — Q{V—7), 7 = 2, s = 1, Ai = a 
(in the notation of (jlj above). We have applied the techniques of this paper to 
other sequences, in particular to several of the form NoirnQf^^^yqll + -fa'^^a'^'^). 
For example, taking 7 = 1, fei = 3fc + 2, and ^2 = 3fc -I- 1 gives the sequence 
26fc+3 _(_ 23fc-i-i _|_ however, for ^ 1 (mod 4), these numbers succumb to classical 
iV - 1 tests. 

3.4. Generalized Legendre and Jacobi symbols. We next give definitions of 
generalized Legendre and Jacobi symbols for number fields, as in [17] . for example. 
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Definition 3.4. For F a number field, a € Of, and p a prime ideal of Of, define 
the (generalized) Legendre symbol: 

ifaep, 

1 if a is a nonzero square mod p, 
-1 otherwise. 



If a is an ideal of Of, the (generalized) Jacobi symbol (— ) is defined multiplicatively, 
as usual. If is a principal ideal in Of, we may use (^) to denote {j^)- 

4. Main Theorem 

In this section we state and prove our main result, Theorem 14. 1[ which gives a 
necessary and sufficient condition for the primality of the numbers Jfc. 
Fix a particular square root of —7 and let K — Q(V —7). Let 

1 + 



" 2 ^ 

and for each positive integer fc, let 

jk = 1 + la^ e l\a\ and = Norm;^/Q(jfe) = jfcjfc S N. 

Note that is prime in Z if and only if j^, is prime in Ok- Note also that 
Normx/Q(a) — aa = 2. 

Recall the family of elliptic curves Ea defined by H]). Lemma [4.41 below shows 
that Jk is composite if fc = (mod 8) or fc = 6 (mod 24), so we omit these cases 
from our primality criterion. For each remaining value of fc, Table[T]lists the twisting 
parameter a and the point Pa G Ea{Q) we associate to fc. For each of these a, the 
elliptic curve Ea has rank one over Q, and the point Pa is a generator for Ea{Q) 
modulo torsion. 

Table 1. The twisting parameters a and points Pa 



fc 




a 


Pa 


fc EE 


or 2 (mod 3) 


-1 


(1,8) 


fc = 


4,7,13,22 (mod 24) 


-5 


(15,50) 


fc = 


10 (mod 24) 


-6 


(21,63) 


fc = 


1,19 (mod 72) 


-17 


(81,440) 


fc = 


25,43,49,67 (mod 72) 


-111 


(-633, 12384) 



Theorem 4.1. Fix fc > 1 such that fc ^ (mod 8) and fc ^ 6 (mod 24). 

Let Pa € Ea{Q) be as in Table[^ (depending on k). The following are equivalent: 

(i) 2'^+^Pa is zero mod Jk and 2^Pa is strongly nonzero mod Jk; 

(ii) Jk is prime. 

We shall prove Theorem 14.11 via a series of lemmas, but let us first outline the 
proof. One direction is easy: since 2*^+^ > {j].^^ + 1)^ for all fc > 1, if (i) holds then 
so does (ii), by Proposition 3.2. 

Now fix a and Pa as in Table [l] and let Pa denote the reduction of Pa modulo jk- 
We first compute the set Sa of fc's for which Ea{OK/{jk)) — C'i<-/(2a'^), as Ok- 
modules. We then compute a set Ta of fc's such that when jk is prime. Pa does not 
lie in aEa{OK/ijk)) if and only if fc e Ta (note that a G Ok ^ End(£'o))- For 
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k £ Sa n Ta, the point Pa has order 2*^+^ whenever Jk is prime, and we can use 
Proposition 13 . 21 to prove that Jk is prime. 

We now fill in the details. Many of the explicit calculations below were performed 
with the assistance of the Sage computer algebra system [32^. 

4.1. The linear recurrence sequence Jk- As noted in the introduction, the 
sequence Jk satisfies the linear recurrence relation 

(5) Jk+4 — 4Ja:+3 — 7Jk+2 + 8Jk+l — 4Jfe. 

We now prove this, and also note some periodic properties of this sequence. See [5] 
or |201 Ch. 6] for basic properties of linear recurrence sequences. 

Definition 4.2. We call a sequence ak (purely) periodic if there exists an integer m 
such that ttk — cik+m for all k. The minimal such m is the period of the sequence. 

Lemma 4.3. The sequence Jk satisfies ([5]). If p is an odd prime and p C Ok is a 
prime ideal above (p), then the sequence Jk mod p is periodic, with period equal to 
the least common multiple of the orders of 2 and a in (Ok/p)*- 

Proof. The characteristic polynomial of the linear recurrence in ([5]) is 

f(x) =x^ ~ Ax^ + 7a;2 - + 4 = (a; - l)(a; - 2){x^ + 

whose roots are 1, 2, a, and a. It follows that the sequences 1*"', 2*^, a'', and a'', and 
any linear combination of these sequences, satisfy ([5|). Thus Jk satisfies dS]). 

One easily checks that the lemma is true for p = 7, so assume p 7. Let A be 
the 4x4 matrix with Aij = Ji+j^i. Then det A ~ —2^^ • 7 is nonzero mod p, hence 
its rows are linearly independent over Fp. It follows from Theorems 6.19 and 6.27 
of [20] that the sequence Jk mod p is periodic, with period equal to the 1cm of the 
orders of the roots of / in F* (which we note are distinct). These roots all lie in 
Ok/P — ^pd, where c? G {1,2} is the residue degree of p. Since a = 2 /a, the order 
of a in (Ok/p)* divides the 1cm of the orders of 2 and a. The lemma follows. □ 

When p is an odd prime, let rup denote the period of the sequence Jk mod p. 
Lemma 14.31 implies that rUp always divides — 1 , and it divides p — 1 whenever p 
splits in K. 

Lemma 4.4. The following hold: 

(i) Jk is divisible by 3 if and only if k = (mod 8); 

(ii) Jk is divisible by 5 if and only if k = 6 (mod 24) . 

Proof. Lemma 14.31 allows us to compute the periods 7713 = 8 and ms = 24. It then 
suffices to check, for p ^ 3,5, when Jk = (mod p) for 1 < fc < nip. □ 

4.2. The set Sa- For each squarefree integer a we define the set of integers 

If jk is prime in Ok, then the Frobenius endomorphism of Ea over the finite field 
OK/{jk) corresponds to either jk or —jk- For elliptic curves over Q with complex 
multiplication, one can easily determine which is the case. 

Lemma 4.5. Suppose a is a squarefree integer, k € Sa, and jk is prime in Ok- 

(i) The Frobenius endomorphism of Ea over the finite field Ok /(jk) 'is jk- 

(ii) EaiOK/Uk)) ^ OK/{2a^) as OK-modules. 
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Proof. The elliptic curve Ea is the curve in Theorem 1 of (ST] p. 1117], with D = —7 
and TT = jk- By [STJ p. 1135], the Frobenius endomorphism of Ea over OK/{jk) is 



a \ Jk 



Jk e Ok- 



Part (i) then follows from the definition of Sa- For (ii), we note that (i) implies 

Ea{OK/{jk)) ^ ker(jfc - 1) = ker(2a'=) ~ Ok /{2a''), 
which completes the proof. □ 
Lemma 4.6. Ifk>\, then 

1 if k is odd, 
— 1 if k is even. 

Proof. For fc > 1, = 3 (mod 8) if k is even, and Jk = 7 (mod 8) if k is odd. □ 
We now explicitly compute the sets Sa for the values of a used in Theorem 14.11 

Table 2. The sets Sa 



(") (i) 



a 


m 


-Sa = {A; > 1 : fc mod m is as below} 


-1 


3 


0,2 


-5 


24 


0, 2, 4, 5, 7, 9, 12, 13, 16, 18, 21, 22, 23 


-6 


24 


3,7,9,10,11,12,13,17, 20,22 


-17 


144 


0, 1, 5, 7, 9, 10, 13, 14, 15, 18, 19, 20, 22, 23, 27, 30, 31, 33, 34, 
36, 42, 43, 44, 45, 49, 50, 53, 56, 61, 62, 63, 66, 67, 68, 70, 71, 
72, 73, 75, 76, 78, 79, 80, 81, 82, 83, 90, 91, 92, 93, 97, 99, 100, 
104, 106, 108, 110, 111, 112, 114, 117, 118, 121, 122, 123, 125, 
126, 128, 129, 133, 135, 136, 137, 138, 139, 141, 143 


-111 


72 


2, 4, 6, 9, 14, 15, 18, 20, 22, 23, 25, 30, 33, 34, 35, 37, 38, 39, 41, 
42, 43, 47, 49, 50, 52, 53, 54, 55, 57, 58, 63, 65, 66, 67, 68, 70 



Lemma 4.7. For a € {—1, —5, —6, —17, —111} the sets Sa are as in Tahle\^ 
Proof. Since = 1 + 2a'^, and a = 4 (mod a/— 7), and 2-^=1 (mod 7), we have 

/ Jfc A / l + 22^+i \ ^ f 1 iffc=l (mod 3), 
\ 7 / I -1 iffc = 0,2 (mod3). 
We now need to compute (-^) for a — —1, —5, —6, —17, and —111. By Lemma lT^ i). 
we have (7^) — ~1- Applying Lemma [4.31 to the odd primes p = 3,5, 17,37 that 
can divide a, we find that the periods rup of the sequences Jk mod p are = 8, 
ms = 24, TO17 — 144, and TO37 — 36. Since (7^) = —1, it follows from quadratic 
reciprocity that for a — —5, —17, and —111, the period of the sequence (^) divides 
the least common multiple of the periods vrip for p\a. For a — —6, by Lemma l4.6f ii) 
the period of (^) is 2, which already divides ms = 8. Since 3 is the period of the 

sequence {^^), we find the period m of (-^)(--^=) listed in Table [5] by taking the 
least common multiple of 3 and the nip for p\a. To compute Sa, it then suffices to 
compute ( -j^ ) and check when ( ^ ) = ( ), forl<fc<r7i + l. □ 
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4.3. The set Ta. We now define the sets Ta. 

Definition 4.8. Let a be a squarefree integer, and suppose that P G Ea{K). Then 
the field K(a''^{P)) has degree 1 or 2 over K, so it can he written in the form 
K{^/5^) with Sp G K. Let 

Tp:={fceZ:(f)=-l}. 

For the values of a listed in Table{ll let Ta — Tp^ and let Sa = Sp^. 

Lemma 4.9. Suppose jk is prime in Ok and let a be a squarefree integer. Sup- 
pose that P g Ea{K), and let P denote the reduction of P mod jk- Then P ^ 
aEa{OK/ (jk)) if and only ifk&Tp. 

Proof. Let L — K{a^^{P)) = K{'^) for some 7 S i such that 7^ = 6p. Fix a 
Q e Ea{Q) such that aQ = P. Since ker(Q!) C Ea[2] C Ea{K), we have K{Q) = 
L = K{j). Fix a prime ideal p of L above (jk), let F = Ox/Uk), let Q € £^a(F) be 
the reduction of Q mod p, and let 7 be the reduction of 7 mod p. Then F(Q) = F(7). 

Now P G aEa{¥) if and only if Q e Ea{¥). By the above, this happens if and 
only if 7 G F, that is, if and only if Sp is a square modulo jk- O 

Lemma 4.10. We can take 

(5_i = a, (5_5 = —5a, (5_@ = — 3\/— 7, (5_i7 = a, iJ-m — —3. 

Proof. The action of the endomorphism a on the elliptic curve Ea and its reductions 
is as follows (see Proposition n.2.3.1 of [301 P- HI])- For i^jU) € Ea, we have 

, X / 2x^+a{7-^/^)x+a^{-7-21^) y{2x^+a{li-2^)x+a'' {2S+li^/^)) 

Solving for R in aR = Pa yields Sa in each case. □ 
Lemma 4.11. Lf k > 1 then (^-^^ = -1. 

Proof. Let M = K (y/a). By the reciprocity law of global class field theory we have 

l[{jk,M,/K,) = l, 
p 

where (jk, Mp/ Kp) is the norm residue symbol. 
Let f{x) = — jk & Oko, N- For fc > 1 we have 

|/(1)U - \2a\ = 2-(^-+i) < = |4U = ' 

and Hensel's lemma implies that f{x) has a root in Ok^ ■ Thus jk is a square in 
and {jk,Ma/Ka) = 1. 

Identify Ka with Q2- Applying Theorem 1 of [29l p. 20] with a = jk and b = a, 
and using a"^ — b + a, gives (jfc, a) = —1, where (jk, a) is the Hilbert symbol. Thus 
jk ^ NormM^/Ka (A^g), and therefore {jk,Ms/Ks) = -1. 

If p is a prime ideal of Ok that does not divide 2, then 7\fp/isrp is unramified. 
By local class field theory we then have 

{jk,Mp/Kp)=^- 
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Since jk is prime to 2, we have ordQ(jfe) = orda(jfc) = 0, hence 

pt2 pt2 ^ ^ all p ^ ^ ^ ^-^ 

Therefore, 



1 = l[{jk,M,/K,) = (-) {jk,MjK^){jk,M^/K^) = - (- 



P 

as desired. □ 



Lemma 4.12. For a E { — 1, —5, —6, —7, —111} the sets Ta are as follows: 





= Z, 




= {k 


T-e 


= {k 


T-17 


= Z, 


T-111 


= {k 



{k EE 1,2,3,6 (mod 8)}. 

Proof. We apply Lemma 14.101 and the definition of Ta . Lemma 14.111 imphes that 
r_i — T^n = Z. For a = —6 we use quadratic reciprocity in quadratic fields 
(see Theorem 8.15 of [TTl p. 257]) to compute For the remaining cases 

we compute (^j^^ = (^f) (^) ^ (^) ^^"^ proof of Lemma 14.71 and 

apply (^j^^ — from Lemma [4.111 □ 

4.4. Proof of Theorem mH 

Lemma 4.13. Let a be a squarefree integer and let fee S'^ H T^. Suppose that jk 
is prime, and let Pa be the reduction of Pa mod jk . Then the annihilator of Pa in 
Ok is divisible by a^~^^ . 

Proof. We have Ea{OKl{jk)) ^ 0^/(20;'^) = ©^/(aa'^+i), by Lemma SSIii) . It 
then suffices to show Pa ^ aEa{OK /{jk j), which follows from Lemma lL9l □ 



The congruence conditions for k in Table [T] come from taking SaCiTa, excluding 
the cases handled by Lemma 14.41 and adjusting to give disjoint sets. 

Now suppose that k > 1, k ^ (mod 8), k ^ 6 (mod 24), and Jk is prime. Let 
a and Pa be as listed in Table [TJ Then k G Sa^ Ta- Let P denote the reduction of 
Pa mod jk- We have EaiOx /(jk)) — Ox/i'^a'^) by Lemma ITST ii'). and therefore 
the annihilator of P in Ok divides 2a''. By Lemma [4.131 the annihilator of P in 
Ok is divisible by a'^'^'^. Since 2a'^ divides 2*^+^ but a'^"'"^ does not divide 2*^, we 
must have 2'=+ip = and 2'=P ^ 0. Therefore 2''+'^Pa is zero mod Jk and 2'= Pa is 
strongly nonzero mod Jk. 

For the converse, we apply Proposition 13.21 with m = 2*^+^, noting that 

2fe+i > ((3.2^+1)3 + 1)2 > (jy4 + l)2 
for aU k>2, and for fc = 2 we have 2'^+^ = 8 > (11^/'* + if = (J^'' + 1)^. 
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5. Algorithm 



A naive implementation of Theorem 14.11 is entirely straightforward, but here we 
describe a particularly efficient implementation and analyze its complexity. We 
then discuss how the algorithm may be used in combination with sieving to search 
for prime values of J^, and give some computational results. 

5.1. Implementation. There are two features of the primality criterion given by 
Theorem 14. II worth noting. First, it is only necessary to perform the operation of 
adding a point on the elliptic curve to itself (doubling), no general additions are 
required. Second, testing whether a projective point P = [x, y, z] is zero or strongly 
nonzero modulo an integer Jk only involves the z-coordinate: P is zero mod Jk if 
and only if Jk\z, and P is strongly nonzero mod Jk if and only if gcd(z, Jk) = 1. 
To reduce the cost of doubling, we transform the curve 

E^: =x^ - 3ba^x - OSa^ 

to the Montgomery form 

Ea^b ■■ By^ = + Ax^ + x. 

Such a transformation is not possible over Q, but it can be done over Q(-y/— 7). In 
general, one transforms a short Weierstrass equation y^ — j{x) = x^ + a,ix + into 
Montgomery form by choosing a root 7 of /(x) and setting B = (87^ — 04)^^/^ and 
A — 3jB; see, e.g., [TS]. For the curve Ea, we choose 7 = ^(—7 + \/^)a, yielding 

, -15-37^ J „ 7 + 3V^ 

A = and B = . 

8 56a 

With this transformation, the point Pa — {xo,yo) on Ea corresponds to the point 

{B{xo — 7), Byo) on the Montgomery curve Ea.b, and is defined over Q(-\/~7). 

In order to apply this transformation modulo Jk, we need a square root of —7 in 

Z,/ JkZ. Fortunately, when Jk is prime it is easy to compute square roots modulo Jk, 

because Jk = S (mod 4). Since Jk = 2,4 (mod 7) is always a quadratic residue 

modulo 7, if Jk is prime then —7 is a quadratic residue modulo Jk, and 7 is not (by 

quadratic reciprocity). Thus if we compute 

d = 7(-^'=+i)/4 

in Z/JkZ, then for prime Jk we have = 7(''fc+i)/2 = 7(./io-i)/2 . 7 ^ _j (j^^q^j j^)^ 
by Euler's criterion. Conversely, if (P ^ —7 (mod Jk), then Jk is immediately 
shown to be composite. 

With the transformation to Montgomery form, the formulas for doubling a point 
on Ea become particularly simple. If P = [xi,yi, zi] is a projective point on Ea^b 
and 2P = [x2, y2, 22], we may determine [x2, Z2] from [xi, zi] via 

(6) 4x1 Zl = (a;i + zi)"^ + {xi — zi)^, 

X2 = (2^1 + 21)^(2^1 - zi)^, 
Z2 — 4a;izi((a;i — zi)^ + C(4a;iZi)), 

where 

C=(A + 2)/4=i^|^. 

Note that C does not depend on P (or even a), and may be precomputed. Thus 
doubling requires just 2 squarings, 3 multiplications, and 4 additions in Z/Jk'Z. 
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We now present the algorithm, which exploits the transformation of Ea into 
Montgomery form. We assume that elements of Z/J^Z are uniquely represented as 
integers in [0, Jfc — 1]. 

Algorithm 15.11 

Input: positive integers k and Jfc. 

Output: true if Jk is prime and false if Jk is composite. 

1. If fc = (mod 8) or fc = 6 (mod 24) then return false. 

2. Compute d = T^'^^+i'/'' mod Jk- 

3. If (P ^ —7 (mod Jk) then return false. 

4. Determine a via Table [1] depending on k (mod 72). 

5. Compute r — (—7 + d)a/2 mod Jk, B = {7 + 3d)/(56a) mod Jk, and 
C = (l-3d)/32 mod Jfc. 

6. Let xi — B{xq — r) mod Jk and zi — \, where Pa — (xq, j/o) is as in Table[T] 

7. For i from 1 to fc + 1, compute [xi, Zi] from [xi^i, Zi^i] via (jS]). 

8. If gcd(2:fc, Jfc) — 1 and Jfcjzfc+i then return true, otherwise return false. 

The tests in step 1 rule out cases where Jk is divisible by 3 or 5, by Lemma HH] 
Jfc is then composite, since Jk > 5 for all fc. This also ensures that gcd(a, Jfc) = 1, 
so the divisions in step 5 are all valid (Jfc is never divisible by 2 or 7). 

Proposition 5.2. Algorithm \5.1\ performs 6fc + o(fc) multiplications and Ak addi- 
tions in TLj JkTl^- Its time complexity is 0(fc^ log fc log log fc) and it uses 0{k) space. 

Proof. Using standard techniques for fast exponentiation |35) . step 2 uses fc + o(fc) 
multiplications in Ij Jklj- Steps 5-6 perform 0(1) operations in Ij Jk'l and step 7 
uses 5fc multiplications and 4fc additions. Using the fast Euclidean algorithm [lOj 
Cor. 11.10], the cost of the gcd computed in step 8 is comparatively negligible, 
as are the costs of the divisions in step 5 (which only involve small denominators 
in any case). Multiplications (and additions) in Z/JfcZ have a bit complexity of 
0(M(fc)), where M(fc) counts the bit operations needed to multiply fc-bit integers 
[lOl Thm. 9.8]. The bound on the time complexity of Algorithm 15.11 then follows 
from the Schonhage-Strassen [28] bound: M(fc) = 0(fc log fc log log fc). The space 
complexity bound is immediate: the algorithm only needs to keep track of two pairs 
\xi, Zi] and [xi-i, Zi_i] at any one time, and elements of Ij Jkl can be represented 
using 0(fc) bits. □ 

Table 13] gives timings for Algorithm 15 . II when implemented using the gmp library 
for all integer arithmetic, including the gcd computations. We list the times for 
step 2 and step 7 separately (the time spent on the other steps is negligible) . In the 
typical case, where Jfc is composite, the algorithm is very likel^Q to terminate in 
step 2, which effectively determines whether Jfc is a strong probable prime base —7, 
as in [BJ Alg. 3.5.3]. To obtain representative timings at the values of fc listed, we 
temporarily modified the algorithm to skip step 2. 



Indeed, we have yet to encounter even a single Jj, that is a strong pseudoprime base —7. 
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We note that the timings for step 7 are suboptimal due to the fact that we used 
the gmp function mpz_mod to perform modular reductions. A lower level implemen- 
tation (using Montgomery reduction [21 , for example) might improve these timings 
by perhaps 20 or 30 percent. 

We remark that Algorithm 15.11 can easily be augmented, at essentially no addi- 
tional cost, to retain an intermediate point Q = [xa,ysi -Zs], where s = fc + 1 — ?' is 
chosen so that the order 2'' of Q is the least power of 2 greater than (J^* + 1)^. 
The value of ys may be obtained as a square root of y1 — {xl + Axizs + Xszl) / {Bzs) 
by computing (y2)(-ffc+i)/4)^ When J^, is prime, the algorithm can then output a 
Pomerance-style certificate {Ea,b,Q, r, Jk) for the primality of Jk- This certificate 
has the virtue that it can be verified using just 2.5fc-|-0(l) multiplications in TLj J^^, 
versus the 6fc -I- oik) multiplications used by Algorithm 15. 1[ by checking that the 
point Q has order 2*^ on the elliptic curve Ea^b mod Jk- 



Table 3. Timings for Algorithm 15. II 
(CPU seconds on a 3.0 GHz AMD Phenom II 945) 



k 




step 2 


step 7 


210 H 


hi 


0.00 


0.01 


2"h 


hi 


0.00 


0.02 


212 H 


hi 


0.02 


0.15 


213h 


hi 


0.15 


0.91 


214h 


hi 


0.88 


5.50 


215 H 


hi 


5.26 


32.2 


216 H 


hi 


27.5 


183 


217 H 


hi 


133 


983 


218 H 


hi 


723 


5010 


219 H 


hi 


3310 


23600 


220 H 


hi 


13700 


107000 



5.2. Searching for prime values of Jk- While one can directly apply Algo- 
rithm [53] to any particular Jfc, when searching a large range 1 < fc < n for prime 
values of Jk it is more efficient to first sieve the interval [l,n] to eliminate values 
of k for which Jk cannot be prime. 

For example, as noted in Lemma WM. if fc = (mod 8) then Jk is divisible by 3. 
More generally, for any small prime ^, one can very quickly compute Jk mod i for 
all A; < n by applying the linear recurrence ([S]) for J^, working modulo I. If < ^Jn^ 
then the sequence Jk mod i will necessarily cycle, but in any case it takes very little 
time to identify all the values oik <n for which Jk is divisible by the total time 
required is just 0(7ilog^), versus Oir?") if one were to instead apply a trial division 
by i to each Jk- 

We used this approach to sieve the interval [l,rt] for those fc for which Jk is not 
divisible by any prime £ < L. Of course one still needs to consider Jk l£ L, but 
this is a small set consisting of roughly log2 L values, each of which can be tested 
very quickly. With n = 10^ and L — 2^^, sieving reduces the number of potentially 
prime Jk by a factor of more than 10, leaving 93,707 integers Jk as candidate primes 
to be tested with Algorithm 15.11 The prime values of Jk found by the algorithm 
are listed in Table HJ along with the corresponding value of a. 
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Table 4. Prime values of Jk « 2*^+2 for k up to 700,000. 



7 

k 




Jk 


a 


7 

k 




Jk 


a 


7 

k 




Jk 


a 


2 




11 


-1 


319 


427., 


..247 


-5 


17807 


110., 


.799 


-1 


3 




23 


-1 


375 


307., 


..023 


-1 


18445 


125., 


,.407 


-5 


4 




67 


-5 


467 


152., 


..727 


-1 


19318 


793., 


.763 


-5 


5 




151 


-1 


489 


639., 


..239 


-1 


26207 


495., 


,.799 


-1 


7 




487 


-5 


494 


204., 


..963 


-1 


27140 


359., 


,.907 


-1 


9 




2039 


-1 


543 


115., 


..143 


-1 


31324 


116., 


,.867 


-5 


10 




4211 


-6 


643 


145., 


..399 


-17 


36397 


155., 


,.007 


-5 


17 


524087 


-1 


684 


321., 


..531 


-1 


47294 


327., 


.963 


-1 


18 


1046579 


-1 


725 


706., 


..551 


-1 


53849 


583., 


,.567 


-1 


28 


107. 


..427 


-5 


1129 


291., 


..591 


-17 


83578 


122., 


.491 


-6 


38 


109. 


..043 


-1 


1428 


297., 


..Oil 


-1 


114730 


593., 


,.411 


-6 


49 


225. 


..791 


-17 


2259 


425., 


..023 


-1 


132269 


345., 


.831 


-1 


53 


360. 


..711 


-1 


2734 


415., 


..123 


-5 


136539 


864., 


.023 


-1 


60 


461. 


..451 


-1 


2828 


822., 


..787 


-1 


-I A ^ A n 

147647 


599., 


,.399 


-1 


Oo 


368. 


..943 


-1 


oi4o 


1 7Pi 
i / 0., 


007 


-0 


10 ( UOo 


1 oo 
IzU., 


007 


-0 


65 


147. 


..007 


-1 


3230 


849., 


..483 


-1 


167950 


388., 


,.883 


-5 


77 


604. 


..191 


-1 


3779 


156., 


,.127 


-1 


257298 


104., 


,.179 


-1 


84 


773. 


..531 


-1 


5537 


254., 


..887 


-1 


342647 


423., 


.399 


-1 


87 


618. 


..703 


-1 


5759 


171., 


..279 


-1 


414349 


120., 


,.207 


-5 


100 


507. 


..507 


-5 


7069 


382., 


..207 


-5 


418033 


118., 


.831 


-17 


109 


259. 


..207 


-5 


7189 


508., 


..207 


-5 


470053 


451., 


,.407 


-5 


147 


713. 


..023 


-1 


7540 


233., 


..107 


-5 


475757 


536., 


.791 


-1 


170 


598. 


..611 


-1 


7729 


183., 


..591 


-17 


483244 


347., 


.667 


-5 


213 


526. 


..239 


-1 


9247 


168., 


..687 


-5 


680337 


279., 


,.759 


-1 


235 


220. 


..519 


-17 


10484 


398., 


..747 


-1 










287 


994. 


..999 


-1 


15795 


234., 


..023 


-1 











Table\^will be extended REFERENCES 
in h < ^(\^ 

- • [1] M. Agrawal, N. Kayal, N. Saxena, Primes is in P, Annals of Math. 160 (2004) 781-793. 

[2] A. O. L. Atkin, F. Morain, Elliptic curves and primality proving, Mathematics of Computa- 
tion 61 (1993) 29-68. 

[3] W. Bosma, Primality testing with elliptic curves, Doctoraalscriptie Report 85-12, Depart- 
ment of Mathematics, University of Amsterdam, 1985, 
|http : //www . math . ru . nl/- bosma/pubs/PRITwEC1985 . pd fl 

[4] C. Caldwell, The prime pages: prime number research, records, and resources, web site at 
|http : // primes .utm. edu/ 2012. 

[5] D. V. Chudnovsky, G. V. Chudnovsky, Sequences of numbers generated by addition informal 
groups and new primality and factorization tests. Adv. in Appl. Math 7 no. 4 (1986), 385—434. 

[6] R. Crandall, C. Pomerance, Prime numbers: A computational perspective. Second edition. 
Springer, New York, 2005. 

[7] R. Denomme, Gordan Savin, Elliptic purve primality tests for Fermat and related primes. 
Journal of Number Theory 128 (2008) 2398-2412. 

[8] G. Everest, A. van der Poorten, I. Shparlinski, T. Ward, Recurrence sequences, Mathematical 
Surveys and Monographs 104, Amer. Math. Soc, Providence, RI, 2003. 

[9] Free Software Foundation, GNU Multiple Precision Arithmetic Library, version 5.0.1, 
|http:// gmplib.org/ 2011. 
[10] J. von zur Gathen, J. Gerhard, Modern computer algebra, second edition, Cambridge Uni- 
versity Press, 2003. 



DETERMINISTIC ELLIPTIC CURVE PRIMALITY PROVING 



15 



[11] S. Goldwasser, J. Kilian, Almost all primes can he quickly certified, STOC '86 Proceedings 
of the Eighteenth Annual ACM Symposium on the Theory of Computing (1986) 316-329. 

[12] D. M. Gordon, Pseudoprimes on elliptic curves, in Theorie des nombres (Quebec, PQ, 1987), 
do Gruyter, BerUn, 1989, 290-305. 

[13] B. H. Gross, An elliptic curve test for Mersenne primes, J. Number Theory 110 (2005) 
114-119. 

[14] A. Gurevich, B. Kunyavskii, Primality testing through algebraic groups, Arch. Math. (Basel) 
93 (2009) 555-564. 

[15] O. Katsuyuki, K. Hiroyuki, S. Kouichi, Elliptic curves with the Montgomery-form and their 
cryptographic applications. Public Key Cryptography 2000, LNCS 1751 238-257, Springer, 
2000. 

[16] D. H. Lehmer, An extended theory of Lucas' functions. Annals of Math. 31 (1930) 419—448. 

[17] F. Lemmermeyer, Reciprocity laws. Prom Euler to Eisenstein, Springer Monographs in Math- 
ematics, Springer- Verlag, Berlin, 2000. 

[18] H. W. Lenstra Jr., Elliptic curves and number-theoretic algorithms. Proceedings of the Inter- 
national Congress of Mathematicians, Vol. 1, 2 (Berkeley, CaUf., 1986), 99-120, Amer. Math. 
Soc, Providence, RI, 1987. 

[19] H. W. Lenstra Jr., Carl Pomerance, Primality testing with Gaussian periods, preprint avail- 
able at http : //www .math. dartmouth. edu/~ carlp/ai;s041411 .pdf , 2011. 

[20] R. L. Lidl, H. Niederreiter, Introduction to finite fields and their applications, revised edition, 
Cambridge University Press, 1994. 

[21] P. L. Montgomery, Modular multiplication without trial division. Mathematics of Computa- 
tion 44 (1985), 519-521. 

[22] P. L. Montgomery, Speeding the Pollard and elliptic curve methods of factorization. Mathe- 
matics of Computation 48 (1987) 243-264. 

[23] F. Morain, Elliptic curves, primality proving, and some titanic primes, Journees 
Arithmetiques, 1989 (Luminy, 1989), Asterisque No. 198-200 (1991), 245-251 (1992). 

[24] T. Pepin, Sur la formule 2^" -|- 1, Comptes Rendus Acad. Sci. Paris 85 (1877) 329-333. 

[25] C. Pomerance, Very short primality proofs. Mathematics of Computation 48 (1987) 315-322. 

[26] C. Pomerance, Primality testing: variations on a theme of Lucas, Congr. Numer. 201 (2010) 
301-312. 

[27] V. Pratt, Every prime has a succinct certificate, SIAM J. Computing 4 (1975) 214-220. 
[28] A. Schonhage, V. Strassen, Schnelle Multiplikation grofier Zahlen, Computing 7 (1971) 281— 
292. 

[29] J. P. Serre, A course in arithmetic. Graduate Texts in Mathematics, vol. 7, Springer- Verlag, 
New York-Heidelberg, 1973. 

[30] J. H. Silverman, Advanced topics in the arithmetic of elliptic curves, Graduate Texts in 
Mathematics, vol. 151, Springer- Verlag, New York, 1994. 

[31] H. M. Stark, Counting points on CM elliptic curves. The Rocky Mountain Journal of Math- 
ematics 26 No. 3 (1996) 1115-1138. 

[32] W. A. Stein et al.. Sage Mathematics Software (Version 4-7.1), The Sage Development Team, 

20 1 1 , Ihttp : //www . sagemath . org 

P+i 

[33] Y. Tsumura, Primality tests for 2^ + 2 ^ +1 using elliptic curves. Proceedings of the 

American Mathematical Society 139 (2011) 2697-2703. 
[34] S. Y. Yan, Glyn James, Testing Mersenne primes with elliptic curves, in Computer algebra 

in scientific computing, 303-312, Lecture Notes in Comput. Sci. 4194, Springer, Berlin, 2006. 
[35] A. C. Yao, On the evaluation of powers, SIAM J. Computing 5 (1976) 100-103. 

Department of Mathematics, University of California, Irvine, CA 92697 
E-mail address: aabatzogOmath . ucl . edu 

Department of Mathematics, University of California, Irvine, CA 92697 
E-mail address: asilverbOmath.uci . edu 

Department of Mathematics, MIT, Cambridge, MA 02139 
E-mail address: dr ewSmath . mit . edu 



Department of Mathematics, University of California, Irvine, CA 92697 
E-mail address: awong9inath.uci.edu 



